I have entries like these in apache2 error.log
[Thu Jan 12 09:18:51.078445 2023] [core:error] [pid 47992] [client 152.89.196.211:53158] AH10244: invalid URI path (/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh)
[Wed Jan 11 06:01:09.820582 2023] [core:error] [pid 30833] [client 185.225.74.55:39856] AH10244: invalid URI path (/cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh)
[Wed Jan 11 17:16:49.643509 2023] [core:error] [pid 41882] [client 152.89.196.211:52746] AH10244: invalid URI path (/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh)
I got this to work on the command line:
fail2ban-regex test.log '.*\[client <HOST>:\d+\] AH10244.*$'
Every time I try to stick the regex into a .conf file like so:
[Definition]
failregex = .*\[client <HOST>:\d+\] AH10244.*$
ignoreregex =
fail2ban complains:
Running tests
=============
Use failregex line : filter.conf
ERROR: No failure-id group in 'filter.conf'
I've looked in the man pages and online but I can't find an explanation of what this message is trying to say, or how to fix it.
The Questions
How do I wrap a .conf file around this regex?
What does that error mean?
Could I (how would I) use the pre-defined stuff in apache-common.conf to make this regex more robust?
This fixed it:
fail2ban-regex test.log ./filter.conf
I had my test files (test.log and filter.conf) in my home dir. When I ( from the home dir ) issued the command:
fail2ban-regex test.log filter.conf
I assumed that I was referencing ./test.log and ./filter.conf but I think that fail2ban was looking in the filter.d/ folder to try to find filter.conf.
I found that if filter.conf was in the /etc/fail2ban/filter.d/ folder, then fail2ban-regex test.log filter.conf succeeded.
Related
iam using perl to print some data but it is giving me error as Can't find string terminator "EOF" anywhere before EOF at
The code is:
#!/usr/local/bin/perl -w
print <<EOF;
hello
EOF
ERROR:
[Mon May 23 11:32:12 2016] [error] [client 192.168.10.117] Directory index forbidden by Options directive: /var/www/, referer: http://192.168.10.100/
[Mon May 23 11:32:12 2016] [error] [client 192.168.10.117] malformed header from script. Bad header=hello: testeof.cgi
[Mon May 23 11:32:18 2016] [error] [client 192.168.10.117] Directory index forbidden by Options directive: /var/www/, referer: http://192.168.10.100/
[Mon May 23 11:32:18 2016] [error] [client 192.168.10.117] Can't find string terminator "EOF" anywhere before EOF at /var/www/sandeep/testeof.cgi line 2.
[Mon May 23 11:32:18 2016] [error] [client 192.168.10.117] Premature end of script headers: testeof.cgi
I tried putting EOF in single quotes (print <<'EOF';) as shown in this answer, but the error is same. Printing by this method is working in otherr files in the same directory.
I also referred this question (Why am I getting βCan't find string terminator β'β anywhere before EOF at -e line 1β when I try to run a Perl one-liner on Windows?) but in that question OP is using different method to print and iam using linux(UBUNTU).
Please guide where I am doing wrong?
Your code is correct.
Ensure that your EOF is on a single line with no spaces around it.
Use quotes to designate your terminator:
print <<_EOF_;
hi $$
_EOF_
print <<"_EOF_";
hi $$
_EOF_
Both are exactly the same (print hi 12345 where 12345 is the process id of the current process), but the second one is more clear compared to single quotes:
print <<'_EOF_';
hi $$
_EOF_
This one will print hi $$, because no variable replacing is done with singles quotes.
Web-script always require a header (at least for Apache). Add this line as the first output line to get rid of the malformed header from script error:
print "Content-type: text/html\r\n\r\n";
I'm trying, without success, to ban this line using fail2ban-regex :
root#XXXX:/etc/fail2ban#fail2ban-regex '[Mon Jun 22 09:55:16.780767 2015] [:error] [pid 1962] [client 1.2.3.4:38909] script '/var/html/abc.php' not found or unable to stat' filter.d/apache-noscript.conf
using the original failregex in the apache-noscript
failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(\.php|\.a$
^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
the result is line 'missed' (i was waiting for line 'matched' )
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
|- Missed line(s):
| [Mon Jun 22 09:55:16.780767 2015] [:error] [pid 1962] [client 1.2.3.4:38909] script /var/html/abc.php not found or unable to stat
Please do you know the The_good_failregex to match this line (as like in std log) ? (Fail2Ban v0.8.11 Apache/2.4.7 (Ubuntu)) :
fail2ban-regex '[Mon Jun 22 09:55:16.780767 2015] [:error] [pid 1962] [client 1.2.3.4:38909] script '/var/html/abc.php' not found or unable to stat' The_good_failregex
Many Thanks for your help.
It seems to be version issue.
Fail2Ban v0.8.11 was currently used,
need to be be updated to v0.8.12 (:? before 'error' ...)
_apache_error_client = [[^]]*] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})
Thanks.
I think its a simple path issue here - but I've spent last 2 hours trying various combinations but not able to resolve this. The code is working fine on my windows system but when I upload it to my hosting site on linux OS - it doesn't find the ACL file.
This is how the paths are defined in my index.php
// Define path to application directory
defined('APPLICATION_PATH') || define('APPLICATION_PATH', realpath(dirname(__FILE__) . '/../application'));
// Ensure library/ is on include_path
set_include_path(implode(PATH_SEPARATOR, array(realpath(APPLICATION_PATH . '/../library'), get_include_path(),
)));
This is the line in application.ini
resources.frontController.plugins.acl = "Ed_Controller_Plugin_Acl"
This is the bootstrap.php relevant code
protected function _initAutoload()
{
.......
Zend_Loader_Autoloader::getInstance()->registerNamespace('Ed_');
.......
}
These are the errors I am getting on the linux system and the ACL doesn't work
[Sat Oct 01 14:26:44 2011] [error] [client 122.164.175.204] PHP Warning: include_once(Ed/Controller/Plugin/Acl.php): failed to open stream: No such file or directory in /home/webadmin/dezyre.com/library/Zend/Loader.php on line 146
[Sat Oct 01 14:26:44 2011] [error] [client 122.164.175.204] PHP Warning: include_once(): Failed opening 'Ed/Controller/Plugin/Acl.php' for inclusion (include_path='/home/webadmin/dezyre.com/application/../library:/home/webadmin/dezyre.com/library:.:/usr/share/pear:/usr/share/php') in /home/webadmin/dezyre.com/library/Zend/Loader.php on line 146
[Sat Oct 01 14:26:44 2011] [error] [client 122.164.175.204] PHP Fatal error: Class 'Ed_Controller_Plugin_Acl' not found in /home/webadmin/dezyre.com/library/Zend/Application/Resource/Frontcontroller.php on line 117
Thanks for your time
Appreciate it
Remember that *ix is all case sensitive with file names. Therefore directories must start with in uppercase. If they don't, Windows won't complain - but Linux will.
I am getting some very annoying behaviour from my perl cgi scripts running under apache.
I get referer information added on the end of simple print statements, and it's driving me nuts.
[Sun Feb 20 21:34:47 2011] [error] [client xx] ruid: 48, referer: http://www.x.com/
[Sun Feb 20 21:34:47 2011] [error] [client xx] euid: 48, referer: http://www.x.com/
[Sun Feb 20 21:34:47 2011] [error] [client xx] test, referer: http://www.x.com/
[Sun Feb 20 21:34:47 2011] [error] [client xx] Premature end of script headers: test.cgi, referer: http://www.x.com/
This only seems to happen when the url is reached by navigating from another page (hence having a referer yes). The above apache log output was produced with the below incredibly simple depo script:
#!/usr/bin/perl -w
use strict;
use warnings;
use CGI;
my $q = CGI->new;
print STDERR "ruid: $<\n";
print STDERR "euid: $>\n";
print STDERR "test\n";
Anyone seen this before? It feels like an apache setting i need to turn off.
Thanks
Matt
Take a look at your apache config files (httpd.conf and friends) and find the CustomLog directive which is used by your error log to see which LogFormat it uses, then modify that LogFormat (or create a new one) to remove %{Referer} from the list of fields to include in the log messages. (And don't forget to reload the apache config after changing it, of course.)
I am new to CGI-Perl and sessions. I have a problem running the following code.
I have four files
1. Session.html or Session.pm
2. name.pl
3. hobbies.pl
4. job.pl
The Session.pm is place in /var/www/html folder and the rest of the files are placed in /var/www/cgi-bin/session folder.
I have a basic html file(Session.html) which has a link to perl script it is giving the following error
[Mon Jan 04 14:21:24 2010] [error] [client ::1] Options ExecCGI is off in this directory: /var/www/html/name.pl, referer: http://localhost/Session.html
[Mon Jan 04 14:21:29 2010] [error] [client ::1] Options ExecCGI is off in this directory: /var/www/html/name.pl, referer: http://localhost/Session.html
[Mon Jan 04 14:22:42 2010] [error] [client ::1] (13)Permission denied: exec of '/var/www/cgi-bin/session/name.pl' failed, referer: http://localhost/Session.pm
[Mon Jan 04 14:22:42 2010] [error] [client ::1] Premature end of script headers: name.pl, referer: http://localhost/Session.pm
Please help me out in executing the above example. Please give me the steps to be followed from the start.
... Options ExecCGI is off in this directory: /var/www/html/name.pl, ...
This error points to trying to run name.pl in /var/www/html/ instead of /var/www/cgi-bin/session/
Is the Session.html you posted correct because it doesn't seem to tally with this error?
... (13)Permission denied: exec of '/var/www/cgi-bin/session/name.pl' failed, ...
The name.pl cannot be run because it doesn't have execution rights set (on Linux/Unix you need to chmod a+x name.pl).
You may need to show what Session.pm does (it doesn't look like you using the CPAN module Session here).
On a general note I would consider simplifying what you doing down to a simple HTML & CGI script first and get that working. Then start looking into sessions etc.
Check out Ovid's CGI Tutorial for some sage advice on the Perl/CGI subject.
/I3az/